The San Francisco Transit Hack Could’ve Been Significantly Worse

A 2014 paper sanctioned and published by the American Public Transport Association has shown damning evidence that the San Francisco transit hack could’ve been far more destructive than the temporary disruption caused over the weekend.

“You Hacked. ALL data encrypted,” read the message by the culprit behind the hack of San Francisco’s public transit authority, also known as the Muni. The attacker demanded a ransom of 100 bitcoins (approx. $73,000) and the agency has refused to pay. Trains were running however and passengers were able to board and travel across the city for free after the Muni turned off its payment machines and opened its turnstiles.

Come Monday, all operations, including kiosks were back and operating normally.

However, San Francisco got off lightly, as details from a departmental report reveal the fallout could’ve been far worse.

The American Public Transportation Association warned:

Cyberarattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data.

As reported by WIRED, the APTA also revealed that many public transit systems in American cities are underfunded and weathered, with no money to invest in cybersecurity.

What is clear is the increasing number of cyberattacks that have targeted critical infrastructures and operations such as public transit systems and hospitals, are only likely to get more disruptive.

Michael Assante, director of industrial control systems security at the Sans Institute told the publication:

In a very sophisticated attack, you not only impact control systems, but also impede the ability to restore them.

A notable example of hackers impeding any chance of recovering a targeted system is that of Ukraine’s power grid hack from last year, where the culprits changed the control software’s code to damage it permanently.

Public transit systems are inherently vulnerable due to the “complex and interconnected series of components, subcomponents , and services” that they run on, according to APTA’s research. Fundamentally, even the infrared and WIFI infrastructure used by transit systems to detect trains can be rendered useless by anyone possessing a box cutter and physical access these cables.

Beyond the doom and gloom, how does a transit authority safeguard itself? The APTA recommends a few steps, including redesigning existing hardware and software with multilayered network security. Email scanning, firewalls, software and firmware updates to patch vulnerabilities and should all be the norm, the APTA argues. Further, the paper recommends separating the business-end of the networks that typically manages schedules and costs of trains, from the operational side that actually controls the trains.

An incident response scenario should also be enforced, wherein procedures in responding to a cyberattack should be developed. These procedures should be reviewed and updated regularly, the APTA added.

Image credit: Pexels.